Apple has belatedly patched a security hole in the Java engine it ships with Mac OS X - the very hole exploited by hackers to infect Apple's own developers, their counterparts at Facebook and scores of other Mac-using companies.
The vulnerability allowed miscreants to execute malicious code outside of the limited and supposedly …

Re: It's pretty hard to keep up, it's not like they are exactly loaded with money.

Un bon exemple est mieux..

Why not...

...just hand management of the entire steaming poo over to Oracle instead of getting stuck in the middle of somebody else's release schedule. Then they can just point the finger without the reputation damage that Java is currently causing them.

What is this cosy relationship between Java and Apple anyway?

Since Apple demoted Java from being the "first class" citizen of OS X that they originally anticipated, there's no real decent reason for them to be involved in the release of somebody else's software.

except, for some of us, we have to run Java to do our jobs. and if we don't, then we don't get paid, so can't pay the rent and so are thus homeless and starving to death.

so, on balance, i'd say installing Java to remove the malware was a good idea, and at the same time, following the advice in this article to be aware if someone does manage to get malware on my machine:

How would you know your machine was part of a botnet these days? Given flash and java are so full of holes, browsers aren't always that secure, anti-virus is not perfect, then all it may have taken is some malicious google ad appearing on some website I visited at some point to have installed some rootkit.

If anti-virus doesn't pick it up then it's hidden. I can't trust any readout from software for what my computer is doing. Internet running slow? I can run netstat to see all active connections, or run wireshark or something to look at packets, but have the underlying network assemblies been tampered with so that certain information is being hidden from me?

The only thing I can think of is to resort to extremes like always browsing the internet under a VM, or setting up another machine as a router so that I can monitor the traffic without fear that some rootkit is hiding stuff. Or reinstall the OS regularly (under the idea that it might help).

Then again there is the tree falls in a forest principle: if I am part of a botnet but don't know I am part of a botnet, do I care?

Browsing under a VM isn't a guarantee. There's been far too many break-out vulnerabilities for that to be a trusted setup. Monitoring from a router would be better, as the attack surface of the router can be made much smaller than that of the regular machine. And, nastily enough, there's been root kits that survive an OS reinstall by hiding in the boot memory...

By and large, for most people, I suspect these days you know you're part of a botnet when your ISP calls you and tells you...

If a tree falls in a forest....

@NomNomNom, I was going to comment on Apple's idea of security (...to use the malware removal tool you have to install Java...), but it seems self explanatory as to why it is a bad plan. Instead, you raise a couple of good points.

I do not see how browsing through a VM should be considered an extreme act, especially as at least one OS is in the works which virtualizes (if that is even a word) pretty much everything.

As far as being lost amongst the trees, well, I suspect you will not care why your machine acts odd from time to time, or runs slow, or that your identity has been stolen, only that these things have happened. If your machine has been compromised and is part of a botnet, it probably has other malware, too.

install something like LittleSnitch. That'll alert you to anything new that starts communicating from your machine to the outside world.

It's a pain for the first week or so, as you get alerted to everything, and have to acknowledge the ones you're okay with and investigate the ones you're suspicious of. But after you've got it bedded in, then you know that any alert that comes up which you didn't do anything unusual to initiate is likely malware trying to dial home, and so you can kill it.

Botnets

The best, but not guaranteed, way would be to have two computers, one of them being completely standalone and not exposed to your network / internet and comprising of all your data and applications that you actually do work on. Files are then burned to a CD / DVD and transferred to the other PC for emailing, etc. I don't actually do this, but am beginning to consider it. The isolated PC would also be one of my self-built older ones, to help minimise the risk that the hardware / firmware is infiltrated by the Chinks.

Re: A world without browser Java and Flash would be great

Perhaps Adobe and Oracle should be required to provide complete, current, cumulative, and detailed instructions, prominently displayed on their own sites, for how to go about definitively uninstalling software like Flash and Java--nuke-it-from-orbit-style.

Can someone explain to me ....

How a hole in the Java software ... is Apples fault???

And lets get something straight Malware on desktops computers is pretty much a windows problem, we are still talking small change when it comes to Apple, and no amount of snide reporting , or AC boot licking is going to change that.

Re: Meh, it's an Apple OS problem.

Re: Meh, it's an Apple OS problem.

"Wrong, if you have Java 6 without the patch then you are vulerable.

Java is a compiled interpreted language and any exploit in the VM can be possible on multiple OSes in some cases."

But you see, since any time there is an "issue" in the Wintel world so many tektards are gleefully shouting about it you can pretty much get the gist within hours from the side of a milk carton, everyone else got the memo about Java from their browser weeks ago and, if they had any sense, took the suggestion seriously and turned the bugger off, since Oracle weren't being terribly pro-active about dealing with the problem.

In the Apple world the problems still exist, it's just that no-one talks about them (sometimes because getting a fix involves NDA paperwork - according to one famous Apple promoting geek). The uninformed Apple kit user - which is most of 'em - is rather hung out to dry on a string of increasingly untrue assumptions drawn using an internet crime model from the last century. No glee here in saying that, I use whatever comes to hand. Linux, Solaris, AIX, OS2200, Windows; all just tools needed to get the real work done (which isn't anything to do with computers as I keep reminding our "server division").

That bloke who was crying about not getting paid will likely either be overjoyed at the overtime or crying again soon - I'm told by our Java lot that installing 7 caused no end of problems in some of our legacy applications. Serves 'em right. We move money from place to place, we don't launch rockets or run massive shared world online games and we don't offer anything sophisticated in our website access because we don't need to. What we need is more Cobol* not closer ties to Oracle.

@AC 2013/2/20 14:51 GMT

Wow. Not only no sense of humor, but while you can make out the words you can't interpret the icon. It was a riff on all the Mactards always posting that malware is only a Windows problem.

If you've read ANY of my other posts you'd know I take vulnerabilities ANYWHERE seriously. I particularly take note of Java vulnerabilities because some fucktards way up the chain of command insist critical financial apps in our organization run on java versions known to be vulnerable. At one point we were still depended on 1.5.16 and Sun had discontinued support for any version of v5 3 years earlier. That this app potentially conflicted with any of three OTHER financial apps that depend on still different specific outdated versions of Java only made it more fun when one of them failed because of a corruption somewhere in the Java stack because we still pushed updates to try to protect the network.

Re: Meh, it's an Apple OS problem.

The problem isn't Apple or Microsoft its Oracle. Oracle has the worst security practices in the industry (granted SUN really got the ball rolling with their shit jvm implementation originally). I can't believe so many of the world's databases are running on their junk software methodology. If you install Oracle or Adobe software it doesn't really matter what your OS is. You are asking for a world of hurt if your computer is connected to a network.

Re: Meh, it's an Apple OS problem.

Younger participants (assuming that there are some?)

CoBoL

Common Business Oriented Language - an attempt to take geekiness out of geek to provide solutions pragmatic and practical (and usually anti-theory, non-theory or contra-theory business types favoured such as: No, don't want a new computer language. Computer has a language and we just want it to do as we want it to do. Okay?)

thus doing things on a pootah that emulated older, traditional non-computational working methods that might have lacked logic yet oozed human values in a way that non-geeks enjoyed an intimate understanding of and influence in, no?

Re: Meh, it's an Apple OS problem.

Common Business Oriented Language - an attempt to take geekiness out of geek to provide solutions pragmatic and practical (and usually anti-theory, non-theory or contra-theory business types favoured such as: No, don't want a new computer language. Computer has a language and we just want it to do as we want it to do. Okay?)

thus doing things on a pootah that emulated older, traditional non-computational working methods that might have lacked logic yet oozed human values in a way that non-geeks enjoyed an intimate understanding of and influence in, no?

The syntactic structure is reasonably close, but no one would believe this was written by a human. I think your model needs more training.

Oracle's problem

No, it's not. Oracle released a patch for all oracle versions of java. APPLE RELEASED A CUSTOM VERSION OF JAVA 6, THEN DIDN'T BOTHER TO RELEASE A PATCH. The blame for that is squarely at the feet of Apple.

hahahahahahahah

Duh

"But to use the malware removal tool you have to install Java and this is perhaps not the best idea especially since the language has become a prime target for hacking attacks of late, as Sean Sullivan of security software firm F-Secure notes."

Install Java but don't enable the browser applet plugin. Java by itself is no danger.